Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager

Article:TECH160736  |  Created: 2011-05-24  |  Updated: 2014-07-22  |  Article URL http://www.symantec.com/docs/TECH160736
Article Type
Technical Solution


Issue



Symantec Endpoint Protection 12.1: How do I use Disaster Recovery with the SEPM (Symantec Endpoint Protection Manager)?


Environment



This article applies only to Symantec Endpoint Protection 12.1, and applies to both the Enterprise and Small Business Edition.

Symantec Endpoint Protection 11.x Disaster Recovery is somewhat different, and documented elsewhere. See http://www.symantec.com/docs/TECH102333


Solution



Use the information in this article to recover your Symantec Endpoint Protection environment in the event of a disaster.

How to prepare for disaster recovery:


To perform disaster recovery, you must prepare for disaster recovery. You prepare for disaster recovery by backing up the database, disaster recovery file, and (optionally) the IP address and host name of the management server. As a best practice, you should store this data off-site at a secure location.

Differences between SEP 11.x and 12.1.x


Many of the individual files and data that had to be separately gathered in SEP 11.x are now generated and saved automatically by the SEPM into one file, the disaster recovery file. The recovery file includes the encryption password, keystore files, default domain ID, certificate files, license files, and port numbers. This file can be imported automatically during the disaster recovery process.

Similar data from Endpoint Protection Manager 11.x that has been manually compiled is also referred to as a "recovery file" but cannot be automatically imported. If you are installing version 12.1 to recover a previous 11.x installation, you must refer to this file manually. See Using 11.x disaster recovery files with Symantec Endpoint Protection Manager 12.1

Steps to prepare for disaster recovery:

 

Task Additional Information
Step 1: Back up the database.

Back up the database regularly, preferably weekly. (Database Backup/Restore wizard) Located in the Start > Programs > Symantec Endpoint Protection Manager Folder. Note: the backup only saves the file to the location of the SEPM installation.

The database backup folder is saved to the following directory:

Drive: \\Program Files\Symantec\Symantec Endpoint Protection Manager\data\backup.

The backup file is called date_timestamp.zip.

Step 2: Back up the disaster recovery file.

The recovery file includes the encryption password, keystore files, default domain ID, certificate files, license files, and port numbers. After you install the management server, copy the compressed recovery file to another computer. By default, the file is located in the following directory:

Drive:\\Program Files\Symantec\ Symantec Endpoint Protection Manager\Server Private Key Backup\recovery_timestamp.zip

■ The recovery file only stores the default domain ID; IDs for all domains (including the default domain) are stored in the database. If you have multiple domains and will be performing a disaster recovery without a database backup, you must re-add additional domains and their IDs after the SEPM is re-installed. See step 3 for instructions on backing up additional domain IDs.

■ If you update the self-signed certificate to a different certificate type, the management server creates a new recovery file. Because the recovery file has a timestamp, you can tell which file is the latest file.

Step 3: Create text file Backup.txt. Save to this file the IP address and host name of the management server, and all domain IDs beyond the default domain.

If you have a catastrophic hardware failure, you must reinstall the management server using the IP address and host name of the original management server, this is case sensitive. Add the IP address and host name to a text file that is called Backup.txt. If you have multiple domains and will be performing a disaster recovery without a database backup, you must recreate additional domains and their IDs after the SEPM is re-installed. Domain IDs may be found in the SEPM Admin view or in sylink.xml files.

 

Step 4: Copy the files you backed up in the previous steps to another computer.

Copy the backed up files to a computer in a secure location.

 

 

Performing the disaster recovery:


A disaster recovery requires you to sequentially complete the following procedures:

  1. If you had a catastrophic hardware failure, restore the server hardware using the IP address and host name from Backup.txt (from Step 3 above).
  2. Reinstall Symantec Endpoint Protection Manager using a disaster recovery file (gathered in Step 2 above). When the Management Server Configuration Wizard runs, choose "Custom configuration" and "Use a recovery file". ( For Small Business Edition, if the folder does not exist, create the folder and place the recovery file there before installation. Location: <Install drive> \<Install folder>\Server Private Key Backup, Example: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Server Private Key Backup)
  3. Stop the following Services: Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver
  4. Restore the database (Use the "Database Backup and Restore Wizard from the SEPM tools folder).


Note that the recovery file should be used during the configuration of a new installation; if you use the recovery file to re-configure an existing installation, the Manager certificate can be restored but the existing default domain ID will not be changed unless you restore a database backup. Also, if you choose to configure the Manager as a replication partner, the default domain ID in the recovery file will be ignored and the Manager will use the domain ID(s) in the database of its replication partner.

If you do not have a database backup to restore:


You can perform a disaster recovery without a database backup, but the following points apply in this case:

  • All policies must be re-created, or imported from other backups i.e. exported policy files.
  • Clients will be able to communicate with the SEPM but will re-appear in the console only after their next check-in.
  • Clients will reappear in the default group as they check in, unless you enable automatic creation of client groups on the re-installed SEPM by editing "scm.agent.groupcreation=true" to the conf.properties file. This file is located <drive>Program files or(x86)/Symantec/Symantec Endpoint Protection Manager/tomcat/etc.
  • If you originally had multiple SEPM domains beyond the default domain, you must re-create them using domain IDs from Backup.txt.

 

Re-enabling Federal Information Processing Standards (FIPS) 140-2 compliance:


If you are using a FIPS-compliant version of Symantec Endpoint Protection and have FIPS compliance enabled, then after recovering the SEPM, you must re-enable FIPS compliance. This setting is not stored in the disaster recovery file.

 




Article URL http://www.symantec.com/docs/TECH160736


Terms of use for this information are found in Legal Notices